Quick Start Guide for Data Classification

Steps

Properly classifying and protecting data is a repeated, four step process:

Review

Process - The following steps should be performed on the data set that you are assessing.

Do you have any of the data assets or data elements identified in the official listing? If so, use the highest level for each Security Objective.

Using Policy 93.001, how would you likely assess the classification of the data on your system? If any of the data should be protected at a higher level than the official listing, use that level for your next steps on each security objective.

Tools

Identity Finder

Reduce

Process

Make sure your department has a Retention Schedule as defined in 93.002 and that you follow it.

For information that has been identified as sensitive, if it is outside your retention window for that record type, dispose of it in a secure manner

Tools

Electronic Data

DBAN - for erasing entire Hard Drives

Eraser - Windows tool for securely erasing files

Secure Empty Trash - Mac process for securely erasing files

Redact

Process -If it is possible, it is generally a good idea to substitute less sensitive information for more sensitive, if your business process allows for it.

Instead of using SSN as your identifier, use PID, which does not have any use for individuals beyond the University.

If using data for statistical modeling or research, de-identify the information from the individuals to whom the data belongs by removing personal information (name, address, phone number, SSN, Health Insurer Number, etc.). An important thing to consider when de-identifying is that sometimes the collection of data can uniquely identify an individual even if any one piece of information would not. i.e. the person that is a male living on Smith Street in Anytown, drives a red pickup, and has 6 children may only reasonably describe one person in the world.